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Abstract. The timed automaton model of [LyV92, LyV93] is a general model for 
timing-based systems. A notion of timed action transducer is here defined as 
an automata-theoretic way of representing operations on timed automata. It is 
shown that two timed trace inclusion relations are substitutive with respect to 
operations that can be described by timed action transducers. Examples are given 
of operations that can be described in this way, and a preliminary proposal 
is given for an appropriate language of operators for describing timing-based 
systems. 


1. Introduction 

The timed automaton model of [LyV92, LyV93] is a general model for timing-based 
systems. It is intended as a basis for formal reasoning about such systems, in 
particular, for verification of their correctness and for analysis of their complexity. 
In [LyV92, LyV93], we develop a full range of simulation proof methods for timed 
automata; these methods are used in [LLS93, BPV94, HeL94] to verify the correct¬ 
ness of timed protocols for communication, audio control and real-time process 
control, respectively. In this paper, we continue the development by studying 
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process algebras for the same model. Eventually, we envision using a combination 
of proof methods, perhaps even using several in the verification of single system. 


1.1. Timed Automata 

A timed automaton is an automaton (or labelled transition system) with some 
additional structure. There are three types of actions: time-passage actions, visible 
actions and the special internal action r. All except the time-passage actions are 
thought of as occurring instantaneously. To specify times, a dense time domain is 
used, specifically, the nonnegative reals, and no lower bounds are imposed on the 
times between events. Two notions of external behaviour are considered. First, as 
the finite behaviours, we take the finite timed traces, each of which consists of a 
finite sequence of timed visible actions together with a final time. Second, as the 
infinite behaviours, we take the admissible timed traces, each of which consists of 
a sequence of timed visible actions that can occur in an admissible execution, i.e., 
an execution in which time grows unboundedly. 

The timed automaton model permits description of algorithms and systems 
at different levels of abstraction. We say that one timed automaton A implements 
another timed automaton B if the sets of finite and admissible timed traces 
of A are included in the corresponding trace sets of B. Justification for the 
use of trace inclusions to define “implementation” appears, for example, in the 
work of Gawlick, Segala, Sogaard-Andersen and Lynch [GSSL94]. Basically, this 
justification amounts to showing that the set of admissible timed traces of A 
is not trivial. Doing this depends on a classification of the visible actions of A 
as input actions or output actions, as in the I/O automaton model of [LyT87]. 
Then A is required to have the property that each of its finite executions can be 
extended to an admissible execution in a way that includes any given “non-Zeno” 
input pattern. Showing that this property holds for a given timed automaton A 
is an interesting problem, but we do not address this problem in this paper. 

In the untimed setting, bisimulation equivalences have been reasonably suc¬ 
cessful as notions of implementation between transition systems [BaW90, Mil89]. 
Consequently, bisimulation equivalences have also been proposed as implemen¬ 
tation relations for the timed setting [BaB91, Klu93, MoT90, NiS94, Yi90]. 
However, we do not believe that bisimulations will turn out to be very useful as 
implementation relations in the timed case. The problem is that they do not allow 
one to abstract in specifications from the often very complex timing behaviour 
of implementations (see Chapter 10 of [Klu93] for an example). 

Since we believe that timed trace inclusion does form a good notion of 
implementation, we are interested in identifying operations on timed automata 
for which the timed trace inclusion relation is substitutive. This substitutivity is a 
prerequisite for the compositional verification of systems using timed automata. It 
should also enable verification of systems using a combination of compositional 
methods and methods based on levels of abstraction. 


1.2. Action Transducers 

We represent operations by automaton-like objects that we call action transducers, 
rather than, for example, using SOS specifications [Plo81]. For an example of an 
action transducer, consider the operation | of interleaving parallel composition. 
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It can be described by an automaton with a single state s and transitions (one 
for each action a ): 

s t£? s and s -fe S 

The left transition says that the composition can perform an a action when 
its first argument performs an a-action, while the right transition says that the 
composition can perform an a action when its second argument does so. Together, 
the transitions say that the automaton A jj B can do an u-step whenever one 
of its arguments can do so. In the SOS approach, the same operator || can be 
described by inference rules (one for each action a ): 

a . a . 

x -»x ^ y -* y 

X III y ^ x' III y x 1 y 4 X ||| / 

The two styles of describing operators, SOS and action transducers, are quite 
similar. In fact, it is shown in [Vaa93] how SOS specifications in a variant of a 
format proposed by De Simone [Sim85] can be translated to equivalent action 
transducers, and vice versa. 

However, action transducers are more convenient for our purposes. First, 
although it is easy to see how SOS specifications determine automata, it is less clear 
how to regard them as defining operations on automata. For action transducers, 
this correspondence is more direct. Second, as noted by Larsen and Xinxin 
[LaX90], action transducers are a convenient tool for studying compositionality 
questions, and their use tends to simplify proofs. Third, action transducers can 
easily be defined to allow multiple start states. Multiple start states have turned 
out to be useful in untimed automaton formalisms for concurrency such as the 
I/O automaton model, and we would like to include them. We do not know how 
to model start states in the setting of SOS. 

As mentioned above, the action transducers we consider have multiple start 
states. They also include holes, which describe locations for holding argument 
automata. In fact, our action transducers also allow holes to be coloured, which 
allows us to express the condition that several holes (those of the same colour) 
must hold copies of the same automaton. The concepts of multiple start states 
and of coloured holes are not present in [LaX90]. 


1.3. Results 

The major result of our paper is that the timed trace inclusion relation is substitu¬ 
tive with respect to all operations that can be described by our action transducers, 
provided they satisfy a number of conditions that concern the handling of internal 
and time-passage steps. 

After proving substitutivity for a general class of operations, we describe many 
examples of specific operations that fall into this class. These include most of 
the usual untimed operations from process algebra, in particular, sequential and 
parallel composition, external choice, action hiding and renaming. Other untimed 
operations included are an interrupt operation similar to those used in Extended 
LOTOS [Bri88] and CSP [Hoa85], disjoint union, and a binary version of Kleene’s 
star. We also describe several timed operations as timed action transducers: a 
CLOCK operation directly inspired by the clock variables of [A1D94, A1H94], a 
BOUND operation that can block the passage of time, and a RATE operation 
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that can change the speed of its argument. On the other hand, there are several 
operators that have been proposed in the literature that do not fit our format 
of action transducers, in particular, the CCS-style choice operation present in 
[BaB91, MoT90, NiS94, Yi90]. This operation cannot be expressed as a timed 
action transducer because the timed trace inclusion relation is not substitutive 
with respect to it. 

We briefly consider the design of an appropriate language of operators for 
describing timing-based systems. Such a language should consist of a small 
number of basic operations, both timed and untimed, out of which more complex 
operations can be built. The basic and derived operations together should be 
sufficient to describe most interesting timing-based systems. As a starting point, 
we believe that such a language ought to include the basic untimed operations 
that are already well understood and generally accepted. To this end, we describe 
a simple and general construction, inspired by Nicollin and Sifakis [NiS92], 
to transform any untimed operation into a timed one that behaves essentially 
the same and moreover does not use or constrain the time. By applying this 
construction to the well-known untimed operations, we obtain a collection of 
corresponding timed operations that we believe should be included in a real-time 
process language. 

The untimed operations alone are not enough, however; a real-time process 
language also must include operations that use and constrain time explicitly. Of 
the many possibilities, we would like to identify a small number that can be 
used for constructing all the others. For this purpose, we tentatively propose 
our CLOCK, BOUND and RATE operations mentioned above. Using only these 
operations and untimed operations, we can construct many of the other timed 
operations appearing in the literature, including a very general timer similar to 
that used in the timed co-automata model of Alur and Dill [A1D94], the timeout 
construct of Timed CSP [ReR88, DaS89], and the execution delay operation of 
the timed process algebra ATP [NiS94], We can also define a minor variant of 
Alur and Dill’s timed automata [A1D94], as well as the finite-state subcase of the 
timed automaton model of Merritt, Modugno and Tuttle [MMT91], All of this 
provides evidence of the power of our proposed language. 

The decidability and closure properties of Alur-Dill automata suggest that 
they can be regarded as a real-time analogue of classical finite automata. In 
the untimed setting, a crucial characteristic of algebras like CCS is that they 
can easily describe finite automata. Thus by analogy, a natural requirement for 
a real-time process language is that it can easily describe Alur-Dill automata. 
Nicollin, Sifakis and Yovine [NSY93] give a translation from ATP into Alur-Dill 
automata, but do not investigate the reverse translation. In fact it appears that, 
besides our language, only the real-time ACP language of Baeten and Bergstra 
[BaB91] is sufficiently expressive to allow for a direct encoding of Alur-Dill 
automata. 

We present our definitions and results for timed systems by first presenting 
related definitions and results for untimed systems, and then building upon those 
to obtain the corresponding timed concepts. Thus, byproducts of our results for 
timed systems include a definition and a substitutivity theorem for untimed action 
transducers, as well as a demonstration that the most commonly used untimed 
operations can be expressed as action transducers. These byproducts may be of 
some interest in themselves. 

In summary, we believe that the main contributions of the paper are: (1) the 
definitions of action transducers and timed action transducers, (2) the substitu- 
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tivity results for traces and timed traces, (3) the presentation of a large number 
of interesting operators, timed and untimed, as action transducers, and (4) a 
preliminary proposal for a process language for timed systems. We see these all 
as pieces of a unified proof methodology for timed systems. 


2. The Untimed Setting 

We begin by describing action transducers for the untimed setting. Later, the 
concepts needed for the timed setting will be defined in terms of corresponding 
concepts for the untimed setting. 


2.1. Automata 

An (untimed) automaton A consists of: 

• a set states(A) of states, 

• a nonempty set start (A) £ states (A) of start states, 

• a set acts(A) of actions that includes the internal action x, and 

• a set steps (A) £ states(A) x acts (A) x states(A) of steps. 

We let s,s',u,u',.. range over states, and a,., over actions. The set ext (A ) of external 
actions is defined by ext (A) = acts (A) — {t} . We write s' ~>a s as a shorthand 
for (s',a,s) € steps(A). We suppress the subscript A where no confusion is likely. 
Automaton A is called finite if all its components are finite sets. 

The term event will be used to refer to an occurrence of an action in a 
sequence. 


2.2. Executions and Traces 

An execution fragment of an automaton A is a finite or infinite alternating sequence 
soaiSia 2 S 2 ■ • • of states and actions of A, beginning with a state, and if it is finite 

also ending with a state, such that for all i, s, —> s,+i. An execution of A is an 
execution fragment that begins with a start state. A state s of A is reachable if it 
is the last state of some finite execution of A. 

For a = soaiSia 2 S 2 • • ■ an execution fragment, trace(a) is defined as the sequence 
obtained from aia 2 ■ • ■ by removing all t’s. A sequence ft of actions is a trace 
of A if A has an execution a with /? = trace(oi). We write traces*(A), traces'"(A) 
and traces{A) for the sets of finite, infinite and all traces of A, respectively. These 
notions induce three preorders on automata: we define A <„ B = traces*(A) £ 
traces*(B), A < w B = traces “(A) £ traces'" (B), and A < B = traces ( A) £ 
traces (B). Recall that the kernel of a preorder C is the equivalence = defined by 
x = y = x\Zyf\yQx. We denote by =., = 0J and =, the respective kernels of 
these preorders. 
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2.3. Action Transducers 

We now define a notion of action transducer, as an explicit representation of 
certain operations on automata. We consider operations with a possibly i nfi nite 
set of arguments. As placeholders for these arguments, an action transducer 
contains a set of colours. Sometimes we will find it useful to make several copies 
of an argument automaton. To this end an action transducer is equipped with a 
set of holes and a mapping that associates a colour to each hole. The idea is that 
we plug into each hole a copy of the argument automaton for which the colour 
of the hole serves as placeholder. As a useful analogy one can consider the way 
in which a term with free variables determines an operation on terms: here the 
variables play the role of colours, and the occurrences of variables serve as holes. 
As the rest of its “static” description, an action transducer has an associated 
global set of actions, and, for each colour, a local set of actions. 

The “dynamic” part of an action transducer is essentially an automaton: a set 
of states, a nonempty set of start states, and a step relation. The elements of the 
step relation are 4-tuples of source state, action, trigger and target state. Here the 
trigger is a function that tells, for each hole, whether the argument automaton in 
that hole idles or participates in the step, and if it participates, by which action. 

2.3.1. Definition 

Formally, an (action) transducer T consists of: 

• a set states(T) of states, 

• a nonempty set start {T ) = states(T) of start states, 

• a set holes(T) of holes, 

• a set colours(T) of colours, 

• for each hole i, a colour col(T,i), 

• a set acts(T) of actions that includes r, 

• for each colour c, a set acts(T,c) of actions that includes x but excludes the 
noaction symbol 0, 

• a set steps(T) £ states ( T ) x acts(T) x triggers(T) x states(T) of steps, where 
triggers(T) is the set of maps rj that assign to each hole i either 0 or an action 
in acts(T,col(T, i)). 

We say that hole i participates in a step ( s',a,ri,s ) if t](i) =j= 0; hole i is active 
in s' if it participates in some step starting with s'. For each state s', we define 
active{T,s') as the set of holes that are active in s'. 

We define the sets of external actions of T by ext(T) = acts(T) — {t}, 
and, for each c, ext(T,c) = acts(T,c) — {r}. We write s' — f-> T s instead of 

(s',a,rj,s) £ steps{T), and suppress the argument T when no confusion is likely. 
We often represent a trigger r\ by the set {( i,a ) | rj(i) = a f 0}. 

2.3.2. Executions and Traces 

An execution fragment of an action transducer T is a finite or infinite alternating 
sequence socq t]\S\a 2 i] 2 S 2 -of states, actions and triggers of T, beginning with a 
state, and if it is finite also ending with a state, such that for all i, s* s i+ i. An 
execution of T is an execution fragment that begins with a start state. 
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For y = soflit/iSifl 2 f? 2 S 2 •an execution fragment and i a hole, we define 
trace(y) = (aia 2 ' • -)\ext(T) 
trace(y, i ) = (>?i(i)j? 2 (i)' ‘ -)\ext(T,col(T,i)) 

2.3.3. Relation with Automata 


We view action transducers as a generalisation of automata. Specifically, if A is 
an automaton, then the associated action transducer trans(A) has the same states, 
start states and actions as A, empty sets of holes and colours, and its step relation 
given by: 


i trans (A) ‘ 


11 =0 As' -—>^4 s 


In this way, automata are embedded into the class of action transducers. We will 
frequently identify an automaton with its corresponding action transducer. 

Conversely, if T is an action transducer, then we can define an associated 
automaton, aut(T). Namely, aut(T) inherits the sets of states, start states and 
actions of T, and has its step relation defined by 


t & A f (l 

s ->aut(T) S = 3t] :s —2-> t S 


It is not hard to see that, for any automaton A, aut(trans(A )) = A, and for any 
action transducer T with an empty set of holes, trans(aut(T )) = T. 


2.3.4. Combining Action Transducers and Automata 

We define the meaning of an action transducer as an operation on automata. 
First, define an automaton assignment for T to be a function £ that maps each 
colour c of T to an automaton in such a way that acts(£(c)) = acts(T,c). Suppose 
£ is an automaton assignment for T, and let Z be the function that associates 
an automaton to each hole, by the rule Z(i) = £(co/(T,;)). Then T(£) is the 
automaton A given by: 

• states(A) = {(s,z) | s e states{T), z maps holes i of T to states of Z(i)}, 

• start(A) = {(s, z) [ s e start(T), z maps holes i of T to start states of Z(i)}, 

• acts (A) = acts(T), and 

• (s', z') (s, z) if and only if 

3 ii : s' -~-> T s A Vi : [if ij(i)= 0 then z'(i)=z(i) else z'(i) - + Z (i) z(i)] 

Thus, the steps of the automaton T(l ) are just those that are allowed by the 
action transducer T, using triggers that describe steps allowed by the automata 
in the holes. 

It is useful to have explicit terminology for the sequence of triggers that are 
used to justify the steps in an execution of T(Q. Thus, suppose that 

a = (so,zo)ai(si,zi)a 2 (s 2 ,z 2 )--- 

is an execution of T(£). Suppose that for each hole i and each j > 1, Sy_i Sj 

rjj(i) 

and if = 0 then Zj-i(i) = zj(i) else i (i) — >z(») Zji 0- Then we say that the 
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sequence • - • is a trigger sequence for <x. By definition of T(£) every execution 
has at least one trigger sequence (there may be more than one). 

Lemma 2.1. Suppose that T is an action transducer, £ is an automaton assign¬ 
ment for T, and a = (so, z 0 )ai(si, zi)a 2 (s 2 , z 2 ) ■■ ■ is an execution of T(£) with 
trigger sequence r\ = t }\)] 2 '' •• Then y = ■ ■ ■ is an execution of T, 

and for each hole i of T, trace(y,i) € traces (£ (col (T ,('))). 

2.3.5. Remarks 

The importance of action transducers for process algebra and concurrency theory 
was first noted by Larsen and Xinxin [LaX90], who introduced a certain type 
of action transducer, which they call context systems, to study compositionality 
questions in the setting of process algebra. Our action transducers generalise 
those of Larsen and Xinxin [LaX90] in several respects: the distinction between 
colours and holes, which allows us to copy arguments, is new here. Also, Larsen 
and Xinxin [LaX90] only consider operations with a finite number of arguments, 
and a setting where automata just have one start state and no explicit set of 
associated actions. 

Note that, since we always start copies of an argument automaton from a start 
state, our notion of copying is different from that of Bloom, Istrail and Meyer 
[BIM88], who also allow copying from intermediate states. As a consequence, the 
trace preorder is substitutive for our operations, whereas it is not substitutive in 
general for the operations of [BIM88], 

In this section we have defined the semantics of an action transducer as an 
operation on automata. In fact, it is often useful to interpret action transducers 
in a more general (and somewhat more complex) way, as operations on action 
transducers. We leave this generalisation to the reader. 


2.4. Substitutivity 

We say that a relation I? on a class of automata si is substitutive for an action 
transducer T if for all automaton assignments £, £' for T with range si, 

Vc e colours(T) : f(c) R £\c) => T(£) R T(£') 

In this subsection we present two substitutivity results for untimed action trans¬ 
ducers. These results depend on certain additional assumptions involving the 
internal steps of the arguments. We express these assumptions in the following 
definition of the subclass of x-respecting action transducers. Then we show that 
<» and < are substitutive for all action transducers in this class. 

An action transducer T is x-respecting if it satisfies the following constraints: 

1. For each state s and for each hole i that is active in s, T contains a clearing 
step, i.e., a step s s. 

2. The only steps with x in the range of the trigger are clearing steps, i.e., if 
s' —(A s and p(i) = x, then s' — s is a clearing step for s' and i. 

3. Only finitely many holes participate in each step, i.e., s' -f* s implies that 
{i | t](i) =£ 0} is finite. 
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Condition 1 says that the action transducer must permit the component automata 
to take internal steps, by means of special clearing steps of the action transducer, 
whereas Condition 2 says that clearing steps are the only steps of the action 
transducer that permit internal steps of the components. Condition 3 does not 
explicitly mention internal steps; however, this condition is needed in the sub- 
stitutivity proof because of complications caused by internal steps. Conditions 
1 and 2 slightly strengthen similar constraints that are presented in [Vaa91] in 
the setting of SOS. Condition 3 does not occur in [Vaa91] because there only 
operations with a finite number of arguments are considered. However, a similar 
constraint appears in the I/O automaton model of [LyT87]. 

Theorem 2.2. The relations <, and < on automata are substitutive for all z- 
respecting action transducers. 

Proof : Let T be a r-respecting action transducer. We show that < is substitutive 
for T. The proof that <„ is substitutive for T is similar but slightly simpler. 

Suppose (, (' are automaton assignments for T such that, for all c, ((c) < ('(c), 
and suppose that /? e traces(T(()). We must prove that /I e traces (T((')). For 
this, define Z = UI(col(T,i)) and Z' = Xi.C(col(T,i)). Then Z(i) < Z'(i) for 
each hole i. 

Since /? e traces(T(()), T(() has a (possibly finite) execution 
a = (so,z 0 )a l (s u zi)a 2 (s2,Z2)--- 
with trace (a) = fa Let - be a trigger sequence for a, and let 

y = S 0 Ult?lSia 2 ??2S2"- 


By Lemma 2.1, y is an execution of T, and fa = trace(y,i) e traces{Z(i)), for all 
i. Since Z(i) < Z'(i), we obtain fa € traces(Z’(i)), for all i. Therefore for each i, 
Z'(i) has an execution a,- with trace(a,) = fa. Let yo be the sequence obtained from 
y by removing all clearing steps. Then yo is a execution of T and trace(yo) — fa 
Informally speaking, our job is to “paste” together yo and the a ; to obtain an 
execution of T (('). We construct an automaton A that describes several allowable 
ways to do this pasting and that generates executions of T((') with the required 
properties. The set of states of A consists of all valuations of the following state 
variables in their domains: 

• a variable frag ranging over the set of execution fragments of T. This variable 
denotes the part of y 0 that still has to be dealt with. The initial value of frag 
is y 0 - 

• for each hole i, a variable /rag,- ranging over execution fragments of Z'(i). 
This variable denotes the part of a,- that still has to be pasted together with 
(the remainder of) yo- The initial value of /rag,- is a ; . 

• a variable exec ranging over finite executions of T(('). The limit of the values 
of exec will be the execution of T((') in which we are interested. The initial 
value of exec is the trivial execution consisting of the state composed from 
the first states of yo and the first states of the a,-. 

Automaton A has actions CLEARING and BASIC , which correspond to the two 
different types of actions of T (('): clearing steps, and “basic” steps. The transitions 
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BASIC 

Precondition 

A frag begins with sat] 

A for all holes i that participate in the first step of frag: 
fragj begins with an t](i) step 

Effect 

remove the first step from /rag; 

for each hole i that participates in the first step of frag do 
remove the first step from fragj; 
append to exec an a followed by the state of T(f) composed 
from the first states of frag and all the fragj 

CLEARING 

Precondition 

A frag contains at least one step 
A hole io participates in the first step of frag 
A frag io begins with a x step 
Effect 

remove the first step from /rag, 0 ; 

append to exec a r followed by the state of T(f') composed 
from the first states of frag and all the fragj 


Fig. 1 . Algorithm for pasting together yp and the a f . 


of A are defined using precondition/effect style in Fig. I 4 . The intuition is that, 
while building an execution of T(£'), automaton A peels off initial steps of y<> 
and the a,. If the remainder of yo starts with an a step and, for each hole i that 
participate in this step, the remainder of a, starts with the action required for hole 
i, then A can perform a BASIC step. If, for some hole i, the remainder a* starts 
with a t step then A can perform a corresponding CLEARING step, provided 
that i participates in the next step of yo- 

We leave it to the reader to check that the definition of A is type correct, in 
the sense that each variable is only assigned values in its domain. 

Pick an arbitrary maximal execution d = uobjUjbruj ■ ■ • of A. Since the only 
way that exec is modified is by appending values, we can define a' as the limit of 
the values of exec along S. By construction, of is an execution of T(£')- We claim 
that trace (a 1 ) = fi. 

In order to see this, we first establish that A satisfies the following invariant 
properties. Here we write u.v for the value of state variable v of A in state u. 

1. For all reachable states u, trace(u.exec) trace(u.frag) = fi. 

2. For all reachable states u and for all holes i, tr ace (u frag f = trace(ufrag,i). 

Proof: By simple inductive arguments. □ 

Using Invariants 1 and 2, we next prove two claims. 

Claim 1. Suppose u is a reachable state of A and u.frag is not a single state 
execution fragment. Then u has an outgoing step. 


4 Here and elsewhere we use Lamport’s [Lam94] list notation for conjunction. In this notation the 
formula A 62 ’ * * A b n is written as the aligned list A hi. 

A £>2 


A b, 
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Proof : Let s' + s be the first step of u.frag. If, for some hole i that participates 

in this first step, u.frag f begins with a x-step, then a CLEARING action is enabled 
in u. If, for no hole i that participates in the first step, frag, starts with a x step, 
then it follows by Invariant 2 that, for each of these holes i,/rag,- starts with an 
>y(i) step. But this means that a BASIC action is enabled in u. □ 

Claim 2. Execution S has no infinite suffix that consists of CLEARING steps 
only. 

Proof: Suppose that starting from some state u n , execution 5 consists entirely 
of CLEARING steps. That is, from u„ onwards all the steps of S simulate x 
steps of components that participate in the first step of u n .frag. Because T is x- 
respecting, there are only finitely many such participants. Consider any individual 
participant i. By Invariant 2, u n frag l contains an rj(i) step after finitely many x 
steps. Therefore, only finitely many CLEARING steps in 5 correspond to x steps 
of i. Thus, <5 contains only a finite number of consecutive CLEARING starting 
from u n , a contradiction. □ 

Now we return to the proof that trace{a!) = fi. Again we consider cases. 

1. Suppose S contains only finitely many BASIC actions. By Claim 2, execution 
S does not have an infinite suffix that consists of CLEARING steps only, 
so S is finite. 5 Suppose u„ is the final state of 5. Then, by Claim 1, u n frag 
consists of a single state execution fragment. In combination with Invariant 
1, this gives trace(u„.exec) = //. But a! is defined as the limit of u n .exec, so 
a' = u n .exec. Hence trace(a') — (I. 

2. Suppose 5 contains infinitely many BASIC actions. Since frag is initially yo, 
and each BASIC step removes a step from yo, it follows that yo is infinite. By 
Invariant 1, trace (uj .exec) is a prefix of ft for each j. Since each step of yo is 
eventually simulated in a!, trace(a') = ft. 

Hence, j? e t-traces(T(C)), as required. This completes the proof of the theorem. 
□ 


In Section 3.4, we give an example to show that < 0) is not substitutive, even 
for x-respecting action transducers. The converse of Theorem 2.2 does not hold: 
there are many examples of non-x-respecting action transducers for which <« 
and < are substitutive. We give one example in Section 3.4. 


3. An Untimed Process Algebra 

In this section, we give several examples of operations that can be expressed as 
action transducers; all these operations are directly inspired by operations from 
well-known “untimed” process algebras such as CSP [Hoa85], CIRCAL [Mil85], 
CCS [Mil89], Extended LOTOS [Bri88] and ACP [BaW90]. Our motivation for 
presenting these examples is twofold: first, they serve as an illustration of how 
familiar process algebraic operations can be defined using action transducers, and 
second, the resulting language L£ u will form the basis of a timed process algebra 
that we will define in Section 5. 


5 At this point the proof for <• is simpler, since all infinite executions can be excluded trivially. 
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3.1. Preliminaries 

We first describe a number of conventions so that, in most cases, we do not 
have to specify the static part of action transducers explicitly. To begin with, 
we adopt the convention that, unless otherwise specified, the sets of holes and 
colours are the same, and the colouring function is the identity. Often, the set 
of colours will be an initial fragment {l,...,n} of the natural numbers. In this 
case we write T(Ai,... ,A n ) for T(lc.A c ). We also use infix notation in the case 
of binary operations. All action transducers that we define are parameterised 
by the action sets of their arguments. Some of the action transducers also have 
other parameters. Unless stated otherwise, the (global) action set of an action 
transducer can be obtained by taking the set of all actions that occur in steps of 
the action transducer. 

We find it convenient to structure external actions as nonempty finite sets 
of labels, and to identify % with the empty set of labels. This will permit a 
component automaton to perform several activities (labels) together, which the 
action transducer can handle separately. For instance, the sequential composition 
action transducer, described below, takes advantage of composite actions: a 
component can perform an arbitrary label simultaneously with a termination 
label, and the action transducer handles these two in different ways. The idea to 
choose sets of labels as the structure of actions was first introduced in CIRCAL, 
but is used in other algebras as well, for instance in Extended LOTOS. Typically, 
the generalisation to multiple label actions increases the expressive power of a 
process algebra. 

We regard non-composite external actions as a special case of composite 
actions, identifying the non-composite action a with the set {a}. For each action 
transducer T we define labels(T) = [jext(T). Similarly we define, for each colour 
c, labels(T,c) = [J ext(T,c). 

In our language we assume a special label J to indicate successful termination 
and to transfer control to a subsequent process. Symbol J is in the label set of all 
action transducers in the language as well as in the label sets of all their colours. 
The language has been designed such that any (closed) expression denotes an 
automaton in which no further transitions are possible after a transition whose 
label contains ^j. 


3.2. Operators 

3.2.1. Actions 


For any finite set a of labels with f f a, we introduce an action transducer a. 
This action transducer performs the composite action consisting of a together 
with the termination label and then halts. The action transducer has two states 
s and t: it starts in s, performs action a U {^/}, and then terminates in t: 


s 



t 


By the correspondence described earlier, action transducer a can equally well be 
regarded as an automaton. 
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3.2.2. Sequential Composition 

Transducer describes the binary sequential composition operation of Extended 
LOTOS. The action transducer has two states si and S 2 . In the start state si, the 
action transducer runs its first argument up to successful termination, and then 
in state S 2 the action transducer runs its second argument. The steps are (for all 
actions a, b of the first and second argument, respectively): 

*i inSf s i ^ V ^ a 
s i(u^ s 2 if Jea 
s 2 mf s 2 

Note that, unlike in ACP, a ; t is different from a (for a A r), because in the 
second automaton successful termination occurs simultaneously with a whereas 
in the first automaton it occurs after the a. 

3.2.3. External Choice 

The external choice operation □ is taken from CSP. This operation, which is 
parameterised by a finite index set /, waits for the first external action of any of 
its arguments and then runs that argument. The action transducer has distinct 
states su for each i e /, plus an additional state s, which is the start state. The 
steps are (for all i and all actions a of the i-th argument): 

s mt s 
s mt s i 
Si mt Si 

We write STOP for external choice over an empty index set. STOP is the simplest 
action transducer from our language. It has no holes, no colours, no steps, a 
single state, a single action J, and no steps. STOP represents the inactive agent, 
capable of no action whatsoever. 

3.2.4. Disjoint Union 

Parameterised by a finite index set I, action transducer u takes the disjoint union 
of automata indexed by I. The U construct exploits the feature of multiple start 
states. For each i € I, the action transducer has a distinct state s,-, which is also a 
start state, and steps (for all actions a of the i-th argument): 


Operation U behaves in a similar way to the internal choice operation n of CSP: it 
runs one, nondeterministically chosen argument. An interesting difference between 
the operational semantics of LI and n is that in a ; (b u c) the choice between 
b and c is made before execution of the a, whereas in a ; (trie) this choice 
is made after the a has been done. This becomes apparent from the automata 
for these expressions, which are displayed in Fig. 2. Modulo trace equivalence, 
the differences between the two operations disappear: for all automata A and B, 
A U B = AnB. 
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a a 

{ b » y/} {c, V) 


a;(iuc) 



a ; (h n c) 


Fig. 2. The difference between LI and n. 


3.2.5. Relabelling 


For each function / on labels such that /(/) — y iff l = we introduce a unary 
relabelling operation / that renames actions of its argument according to /. The 
action transducer has a single state s, which is the start state, and steps (for all 
actions a of the argument, and with / lifted to sets of labels): 


s 




s 


3.2.6. Parallel Composition 

The binary action transducer ||, which describes the binary operation of parallel 
composition, is a slight variant of the dot operation of CIRCAL. The operation J| 
generalises the usual definition of composition, taking into account the composite 
nature of actions. In the case where all actions of the arguments are singletons 
or t, the operator behaves just as the composition operator of CSP and the I/O 
automata model. The additional power of our composition operator is used in 
the proof of Theorem 3.1 and is indispensable in the timed extension of P£ u 
in Section 5, where actions do not only contain synchronisation labels but also 
labels expressing timing constraints. 

The action transducer || has a single state s, which is the start state, and steps 
(for all actions a , b of the first and second argument, respectively): 

s jjj s if a n labels(\\,2) = 0 

s s if b n labels(\\, 1) = 0 

s s if a n labels(\ |,2) = b n labels(\\, 1)^0 

The restriction to nonempty sets of labels in the last step is not present in 
CIRCAL. There, independent actions from different components may occur 
simultaneously without synchronisation. We have excluded such behaviour here 
in order to keep our composition operation compatible with the one of CSP and 
the I/O automata model. 

When specifying systems it is often convenient to use a derived operator 
II h that only requires its arguments to synchronise on a set of labels H u{V}- 
Suppose A and B are automata with label sets L A and L B , respectively, and 
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suppose H ^ La Lb is a set of non-^y labels. We define 

A\\ h B = Untag(TagM)\\Tag 2 (B)) 

where Untag and Tag, (/' = 1,2) are relabelling functions given by: 

/,• if / e (L.^4 n Lb) — H 
I otherwise 

k if/ :=k } ,ke{L A n L B )- H,j e {1,2} 

/ otherwise 

The idea behind this definition is that first the functions tag 1 and tag 2 rename 
those labels of A and B on which we do not want to synchronise so that they are 
distinct. Then after the resulting automata have been composed in parallel, the 
function Untag renames the tagged labels back to what they were originally. 
Note that the || and \\h operators are commutative and associative. 

3.2.7. Hiding 

The unary hiding operation \L hides all elements from a set L of labels by 
removing them from all actions of its argument. The action transducer has a 
single state s, which is the start state, and steps (for all a): 



Tag,(l ) = 
Untag (l) = 


3.2.8. Interrupts 


The binary action transducer A is very similar to the disruption composition of 
Extended LOTOS and the interrupt operation of CSP. The action transducer has 
three states Si, s 2 and t. In start state si, the action transducer runs its first 
argument until the second argument performs an external action; if and when 
this occurs, the action transducer moves to state s 2 in which the first argument 
is disabled and the second argument takes over. If in state si the first argument 
terminates successfully, the action transducer moves to the termination state t. 
The steps are (for all actions a, b of the first and second argument, respectively): 


s i mf s i if V i a 

siwk 1 if V e a 


Si (cSjf s 1 

s i ((T5jf s 2 if b + x 


3.2.9. Iteration 


We introduce iteration in our language by means of a binary version of Kleene’s 
star operator: A* B is the automaton that chooses between A and B. and upon 
successful termination of A has this choice again. A key identity satisfied by the 
operator is 

A * B = A ; (A * B) □ B 

Kleene’s star operation is best known in its unary form, but in fact the original 
operator introduced by Kleene in [Kle56] was binary. Recently, the binary star 
has been studied in the context of ACP in [BBP94, FoZ94], 
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The iteration construct exploits the ability of action transducers to copy 
their arguments: it uses an infinite number of copies of both the first and 
the second argument. Formally, the action transducer has colours {1,2}, holes 
{1,2,...} U {l',2',...}, and a colouring function that, for i e N + , maps hole i to 
colour 1 and hole i’ to colour 2. The action transducer has states {s,-, /,-, r t | i e N + }. 
In state s;, the action transducer chooses between execution of the i-th copy of 
the first argument or execution of the i-th copy of the second argument. In state 
I,-, the action transducer is running the i-th copy of the first argument, and in 
state r; the action transducer runs the i-th copy of the second argument. The 
initial state is si, and the steps are (for all actions a and b of the first and second 


argument, respectively): 


s i wk? h 

if V $ a ± r 

if 

{MT ii+1 

i f V e a 

s >'+i if V € a 

S i A Ti 

if b 7 ^ x 

r > wk r > 

s ‘ wk s ■■ 


Si wk Si 


Using the * operator, we can easily define the unary looping operator co, which 
restarts its argument upon each successful termination: 

A w = A * STOP 

Despite what the notation might suggest, operator co does not run A a finite 
number of times and then stop! In a choice context the STOP process should 
be viewed as the absence of an alternative: each time the action transducer * is 
faced with a choice between A and STOP, it must choose the A. 

As an example of the iteration and looping constructs, consider the following 
expression, which describes an automatic switch-off mechanism: 

SWITCH = (sw..on (sw.on * sw^off)) w 

The system allows the environment to switch on a lamp at any time by pushing 
some button; once the lamp has been switched on, it will remain on, even if the 
button is pushed again, until it is switched off by the system. In Section 5, we 
will come back to this example and show how we can add real-time constraints 
to make it more interesting. 


3.3. Expressivity of ST U 

We define ,£ u to be the language consisting of all (closed) expressions built 
with the operations of Section 3.2. Since all the corresponding action transducers 
are r-respecting, it follows from Theorem 2.2 that the preorders <« and < are 
substitutive for all the operations in S£ u . 

The automata denoted by expressions in £ u are always acyclic but need not 
be finite. In particular, each nontrivial use of the iteration construct gives rise 
to an automaton with an infinite number of reachable states. However, under 
the condition that no U occurs within the first argument of a *-operator, each 
expression in £ u has a tree unfolding which is isomorphic to the tree unfolding 
of a finite automaton. In the case of expressions where U occurs within the first 
argument of a *-operator, the underlying automaton will still be trace equivalent 
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to a finite automaton, but no longer “tree equivalent” (consider the automaton 
denoted by (a U b) m : this automaton has infinitely many start states, one for each 
infinite sequence over {a,b}). All automata denoted by if„-expressions further 
have the property that after a transition with a label containing J, no further 
steps are possible. The following theorem states that if„ is universally expressive 
for the class of finite automata with this property. In the proof of this result all 
operators of the language play a role. 

Theorem 3.1. Suppose that A is a finite automaton in which no further steps are 
possible after a transition whose label contains J. Then the tree unfolding of A is 
isomorphic to the tree unfolding of the automaton associated to some expression 
in if u . 


Proof: (Sketch) Without loss of generality, we may assume that A only has a 
single start state: any finite automaton with n > 1 start states is tree equivalent 
to the disjoint union of n copies of this automaton in which the set of start states 
is restricted to a singleton. 

Also without loss of generality, we may assume that A has no self-loops, i.e., 
steps of the form s —> s: for each finite automaton with such self-loops one can 
construct an equivalent finite automaton without them, for instance by adding a 
boolean “history variable” that records whether the number of transitions thus 
far is even. 

Let states(A) = {so,..., s„}, let start(A) = {so}, and let S be short for steps(A). 
In the ,,-expression that encodes A, we use elements of S as auxiliary labels. 
The expression is 

(((*o 11**0 \\s 2 X 2 ) ••• \\s„X n )\S 
where, for i > 0, 


Si = the set of all steps between s, and states in {so,...,s;-i} 

U the set of all steps t with J e action(t) 

Xo = ((non-final step 0 ; waito) * final step 0 ) A final step_other 0 
Xi = [waiti ; ((non-final step j ; wait ;)* final step ,-)] A final step -Other ; 

where, for i > 0, 


waiti = 
non-final step j = 
final step j = 
final step-Other j = 

□ 


^ {teS\target(t)=Si/\f$action{t)} {l} 
^{t(^S\.sourceit)=-.s i A x /4 a caonit)} {f} LI dCtion(t ) 
L^{f6S|so«rce(l)=SjA > /sacrion(t)} {/} L) ( aCtion(t ) { ) 

{[gS \source(t)^s i r\ % js.action(t)} < fl 


3.4. Counterexamples 

An example of an operation for which <» is not substitutive is parallel composi¬ 
tion over an infinite index set /. We have a =, x ; a but not 

||ie/(u) <» ||ie/(r ; a) 
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because the automaton on the left has a trace a, which the automaton on the right 
does not have, since it has do an infinite number of i-actions “first”. Another 
example is the version of (binary) parallel composition obtained by requiring 
the argument automata to synchronise on x. Here one loses substitutivity since 
a=» r ;a but not a\\a <« (t ; a)||a, because the automaton on the left has a trace 
a, which the automaton on the right does not have, since the initial r-action of 
the first argument cannot synchronise with a r-action of the second argument. 
Note that neither of these two examples is r-respecting. 

It is not the case that preorder <„, is substitutive for all r-respecting action 
transducers. For instance, we have r = a STOP but not x ; a m < m STOP ; a“. 

As an example of a non-r-respecting action transducer for which <» and < 
are substitutive, consider the choice operation + from CCS. The action transducer 
for this operation can be obtained by removing all clearing steps from the initial 
state of the action transducer for □, and instead allowing a to range over r in 
the second equation as well, so that r-steps can force the choice. The resulting 
action transducer is clearly not r-respecting. In Section 5.3, we will show that 
the timed trace preorders are not substitutive for the timed version of the CCS 
choice operation. 


4. The Timed Setting 

Now we extend the notions described in Section 2 to the case of timed systems. 
We follow the same general outline, introducing time systematically into all of 
the definitions and results. 


4.1. Timed Automata 

We use a slight variant of the timed automaton model from [LyV93 ]. 6 A timed 
automaton A is an automaton whose set of actions includes R + , the set of positive 
reals. Actions from R + are referred to as time-passage actions. We let d, d',... 
range over R + and, more generally, t,t',... over the set R of real numbers. The 
set of visible actions is defined by vis(A) = ext (A) — R + . We assume that a timed 
automaton satisfies the following axioms. 

51 If s' —> s" and s" —> s, then s' ^ s 

For the second axiom, an auxiliary definition is needed. A trajectory for a step 
s' —> s is a function w : [0, d] —> states(A) such that w(0) = s', w(d) = s, and 

w(t) '-x vv(r') for all t, t' e [0, d] with t < t' 

Now we can state the second axiom. 

52 Each step s —> s' has a trajectory 

Axiom SI gives a natural property of time, namely that if time can pass in two 
steps, then it can also pass in a single step. The trajectory axiom S2 is a kind of 


6 The difference is just the explicit indication of the amount of elapsed time in the time-passage 
action instead of using a .now function that associates the current time to a state. 
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converse to SI; it says that any time-passage step can be “filled in” with states 
for each intervening time, in a “consistent” way. For a further discussion of this 
axiom we refer to [LyV93, JSV93], 


4.2. Timed Traces 

Executions of timed automata correspond to what are called sampling computa¬ 
tions in [MaP93]: they provide information about a run of a system at a countable 
number of points in time. In [LyV93], a notion of timed execution is also defined 
for timed automata: these are alternating sequences of trajectories and actions, 
which correspond to the super-dense computations of [MaP93]. It can be argued 
that timed executions provide a more precise representation of the behaviour 
of real-time systems than (sampling) executions. However, our trajectory axiom 
S2 guarantees that for each (sampling) execution of a timed automaton there 
exists a corresponding timed execution. This means that the full externally visible 
behaviour of timed automata can already be inferred from the technically much 
simpler (sampling) executions. This is done in the following definitions. 

Suppose a = soaisic^ • • • is an execution fragment of a timed automaton A. 
For each index j, let tj be given by 

to = 0 

tj+ 1 = if a J+ 1 e R + then tj + a ;+! else tj 

The limit time of a, notation ltime{a), is the smallest element of R-° U {co} larger 
than or equal to all the tj, i.e., we define ltime{a) = sup j(tj). We say a is admissible 
if Itime (a) = oo, and Zeno if it is an infinite sequence but with a finite limit time. 
The timed trace t-trace(a) associated with a is defined by 

t-trace(a) = (((ai, ti)(a 2 , t 2 ) • • *)r(ois(^4) x R-°)/£ime(a)) 

Thus, t-trace(a) records the visible actions of a paired with their times of occur¬ 
rence, as well as the limit time of the execution. 

A pair /? is a timed trace of A if it is the timed trace of some finite or 
admissible execution of A. Thus, we explicitly exclude the timed traces that 
originate from Zeno executions. We write t-traces (A) for the set of all timed 
traces of A, t-traces*{A) for the set of finite timed traces, i.e., those that originate 
from finite executions, and t-traces°°(A) for the admissible timed traces, i.e., those 
that originate from admissible executions. These notions induce three preorders 
on timed automata: A < l B = t-traces(A ) ^ t-traces(B), A <\ B = t-traces*(A) S 
t-traces*(B), and A B = t-traces :n (A) ^ t-traces'iB ). The kernels of these 
preorders are denoted by =*, =* and =l a , respectively. 

A timed sequence over a given alphabet K is a (finite or infinite) sequence 5 
over K x R-° in which the time components are nondecreasing, i.e., t < t! if (k, t ) 
and {k\ t') are consecutive elements in <5. A timed sequence pair over K is a pair 
fi> = (d, t), where 8 is a timed sequence over K and t e R-° U {oo}, such that t is 
greater or equal than all time components in 8. We say that ft is finite if 8 is a 
finite sequence and t < oo. 

Clearly, all timed traces of a timed automaton A are timed sequence pairs 
over ext (A), In particular, all finite timed traces are finite timed sequence pairs. 
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Suppose [> and p' are timed sequence pairs such that p is finite. Let 

P = ((fei, ti)(/c 2 , f 2 ) • ■ ■ (k„, t n ), t) 

P = 

Then we define P ; P' to be the timed sequence pair 

((ki, h)(k 2 , t 2 ) ■ ■ ■ (k n , t„)(k[, t + t, )(k 2 , t + t' 2 ) • • • ,t + f') 

If p and [>' are timed sequence pairs then p is a prefix of /?', notation p < p', if 
either p = p', or p is finite and there exists a timed sequence pair p" such that 

P = P; P". 

4.3. Timed Action Transducers 

In this section we introduce the notion of a timed action transducer, define what 
are the timed traces of a timed action transducer, and show how timed action 
transducers define operations on timed automata. 

4.3.1. Definition 

A timed action transducer T is an action transducer with acts(T) 2 R + and, 
for all colours c, acts(T,c) 2 R + . The sets of visible actions are defined by 
vis(T) = ext(T) — R + and, for all c, vis(T,c ) = ext(T,c) — R + . 

We assume that T satisfies five axioms. 

T1 If s' + s and r/(i) e R + , then a e R + 

T2 If s' -f* s and i € active(T,s’), then rj(i) e R + 

T3 If s' -d-> s then active(T,s ') = active(T,s ) 

T4 If s' s" and s" -C-> s, then s' s 

(Here addition on triggers is defined by pointwise extension; we identify the 
noaction symbol 0 and the real-number 0.) 

Axiom T1 says that non-time-passage steps do not change any of the local 
times. Axiom T2 says that time-passage steps must cause an increase in the local 
times for all of the active holes; note that we permit different amounts of time to 
pass for the action transducer and the components. Axiom T3 states that time- 
passage steps do not change the set of active holes. Axiom T4 allows repeated 
time-passage steps to be combined into one step. 

In order to state the last axiom, we first need the definition of a “transducer 
trajectory”. The notion of a transducer trajectory is analogous to that of a 
trajectory, and describes restrictions on the state changes that can occur during 
time-passage. A transducer trajectory for a step s' —s of T consists of: 

1. a function w : [0, d] —*■ states{T) with w(0) = s' and w(d) = s, and 

2. for each hole i, a continuous, monotonic function ft, : [0. d] —> [0.//(i)] with 
tti(0) = 0 and tt t (d) = such that 

xuMttm w ^ for a11 ^ e with f < f ' 



Action Transducers and Timed Automata 


519 


A transducer trajectory assigns, to each time t in interval [0, d], a state w(f). As 
before, this assignment allows time-passage steps to span between any pair of 
states in the range of w. The functions tt l can be viewed as time tables that 
translate a global increase in time to a local increase in time. Note that for each 
inactive hole i, the time table function tt, is constant 0, and for each active hole 
i, tti is strictly monotonic by axiom T2. 

Now we can state the final axiom for a timed action transducer. 

T5 Each step s' -~-y s has a transducer trajectory 

Axiom T5 says that any time-passage step can be “filled in” with states for each 
intervening time, in a “consistent” way. 

Note that, for each timed automaton A, trans(A) is a timed action transducer, 
and conversely, for each timed action transducer T, aut(T) is a timed automaton. 
As in the untimed case, for any timed automaton A, aut(trans(A)) = A, and for 
any timed action transducer T with an empty set of holes, trans(aut(T)) = T. 

The definition of r-respecting in Section 2.4 applies to timed action trans¬ 
ducers, since they are a special case of action transducers. In this case, however, 
axiom T2 combines with Condition 3 of the r-respecting definition to yield the 
following: 

Lemma 4.1. If T is a r-respecting timed action transducer, and s is a state of 
T in which an action d € R + is enabled, then there are only finitely many holes 
active in state s. 

4.3.2. Timed Traces 

Let y = soaitjiSia 2 ri 2 S 2 • • • be an execution fragment of timed action transducer 
T. For each index j, let tj be given by 

to = 0 

tj + 1 = if aj +1 S R + then tj A- aj + \ else tj 


Then we define ltime(y) = sup ; (£y). The notions of Zeno and admissible execution 
fragments are defined for timed action transducers as for timed automata. The 
timed trace of y, is defined to be the pair 

t-trace(y) = (((ai,ti)( a 2 ,h)''')\(vis(T) x R-°),ltime(y)) 

Thus, t-trace(y) records the visible events of y paired with their times of occur¬ 
rence, as well as the limit time of the sequence. Also, for each index j and each 
hole i, we define the local time of occurrence tjj by: 

to ,i ‘ 0 

L+u = if rij+i(i) € R + then t u 4- n J+ i(i) else t Li 

For each hole i, we let hltime(i,y) = supj(t^j); this is the largest local time for 
hole i. 

The timed trace for hole i of y is defined to be the pair 
t-trace(y, i) = (((j/iOVuX^O.hy)' )\{vis(T,col(T,i)) x R-°), hllime(i,y)) 
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4.3.3. Zeno-respecting Property 


The following definition is needed for the substitutivity results. A timed action 
transducer T is Zeno-respecting if for each admissible execution 

y = soa^ns^rjiSj - ■ ■ 

of T, the following condition holds: for each hole i, either hltime{i,y) = oo, or 
there is an index j such that i £ active(T,Sk) for all k > j. 

Thus, if a Zeno-respecting timed action transducer advances time to infinity 
then, for each hole, either the local time also advances to infinity, or the hole 
becomes permanently inactive from some point on. 

4.3.4. Combining Timed Action Transducers and Timed Automata 


Let T be a timed action transducer. A timed automaton assignment for T is an 
automaton assignment for T that maps each colour to a timed automaton. 

Lemma 4.2. Suppose T is a timed action transducer and f is a timed automaton 
assignment for T. Then T(£) is a timed automaton. 

Proof: We show that T(Q satisfies axioms S1-S2. Let Z = M£(col(T,i)). 

For axiom SI, assume (.s',z') -^t(o (s",z") and ( s",z") -^>r (0 (s,z). We must 

prove (s', z') t(q ( s » z )- By the assumption and the definition of composition, 
there exist triggers rj and f such that 

1 . s' s" 

2. Vi : [if r}{i) = 0 then z'(i) = z"(i) else z'(i) '^>z (0 z"(i)] 

3. s" s 

i T 

4. Vi : [if rj'(i) = 0 then z"(i) = z(i) else z"(i) —> 2 (i) z(i)] 

Now it is routine to check that 


1 . s' s 

f)+»I T 

2. active{T,s') = active(T, s") 

3. i e active(T,d) implies z'(i) W z(i) z(i) 

4. i (t aclive(T, s') implies z'(i) = z(i) 

Together this implies the validity of axiom SI. 

For axiom S2, assume (s',z') -*t(Q (s, z). We must prove that there exists a 

transducer trajectory for (s',z') —> (s,z). By the assumption and the definition of 
composition, there exists a trigger r\ such that 

1 . s' s 


> 1(0 


2. Vi : [if t](i) = 0 then z'(i) = z(i) else z'(i) —>z(i) z(i)] 


Choose a transducer trajectory w, (i g holes(T)) for s' —s. Next, choose for 
each i e active(T,s r ) a trajectory w,- for z'(i) ^>z (0 z(i). For i ^ active(T, s'), let w,- 
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be the function with domain [0,0] given by w,-(0) = z'(i). Let w' be the function 
with domain [0,rf] given by w'(t) = (w(t),z t ), where z t = Ai.Wj(tti(t)). We claim 
that w' is a transducer trajectory for (s',z r ) —> (s, z). For this, first observe that: 
w'( 0 ) = (w( 0 ), z 0 ) 

= (s',Ai.Wi(ttj(0)) 

= (s',Ai.w i ( 0)) 

= (s, Ai.z'(i)) 

= ( s',z ') 


By similar reasoning w'(d) = (s,z). Now assume t,t' € [0, d] with t < t 1 . It is 
routine to check 

1. w(t) LS vv(t') 

2. i <i active(T,s') implies z t (i) = z t >(i) 

3. i G active(T,s') implies z t (i) * Zr ,(j) 


Together this implies w'(t) — >V(f) This completes the proof that W is a 

transducer trajectory, and thereby the proof of the lemma. □ 


The next lemma is analogous to Lemma 2.1 in the untimed case, and plays 
an important role in the substitutivity result for timed action transducers in the 
next section. 

Lemma 4.3. Suppose T is a Zeno-respecting timed action transducer, ( is a timed 
automaton assignment for T, and a = (so,zo)fli(si,zi)a 2 (-S 2 >Z 2 )" ’ is a non-Zeno 
execution of T(£) with trigger sequence • • •. Let Z{i) = C(col(T, i)) for each 
hole i. 

Then y = soaiJ?iSia 2 » 72 S 2 • • ■ is a non-Zeno execution of T, t-trace(y) = 
t-trace(a), and for each hole i, t-trace(y,i) e t-traces(Z (r))■ 

Proof: By Lemma 2.1, we know that y is an execution of T. Because a is non- 
Zeno y is non-Zeno as well, and t-trace(y) = t-trace( a). Fix a hole i. Define a.' 
to be the sequence obtained by taking the sequence zo( 0 , ?i(i)zi( 0 , 72 (i)z 2 ( 0 ''' and 
removing all subsequences r]j(i)zj(i) with = 0, Then, by definition of T(f ), a’ 
is an execution of Z (i). Because T is Zeno-respecting, a' is non-Zeno. Let 

t(),i = 0 

tj+ij = if rj j+ i(i) G R + then t u + rj jH (i) else t u 

Then 

t-trace(a!) = ■ ■ -)\(vis{Z{i)) x R-°), sup f;,,-) 

j 

= t-trace(y,i ) 

which implies t-trace(y,i) G t-traces(Z(i )). □ 


4.4. Substitutivity 

We are now ready to state and prove our substitutivity results for timed action 
transducers. Our results require the hypothesis that the action transducers are 
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Zeno-respecting. Without this hypothesis, it might happen that an admissible 
execution of a composition includes a Zeno execution of some argument. Since 
timed trace inclusion does not imply inclusion of the sets of Zeno traces, this 
means that <* need not be substitutive for such action transducers. 

Theorem 4.4. The relations <1 and <‘ on timed automata are substitutive for all 
Zeno- and r-respecting timed action transducers. 

Proof. Similar to the proof of Theorem 2.2. Let T be a Zeno- and r-respecting 
timed action transducer. We show that <* is substitutive for T. The proof that 
<1 is substitutive for T is similar. 

Suppose {,{' are timed automaton assignments for T such that, for all 
c, {(c) <* {'(c), and suppose that /I e t-traces(T(C)). We have to prove that 
/? 6 t-traces(T ({')). For this, let Z = Xi.£(col(T,i)) and Z' = Xif'(col(T,i)). Then 
Z(i) < l Z'(i) for each hole i. 

Since /I e t-traces(T([)), T({) has a non-Zeno execution 
a = (so,z 0 )a l (s h z 1 )a 2 (s2,Z2)--- 

with t-trace(a) = [1. Let tj = t]^] 2 • • • be a trigger sequence for a, and let 
y = s 0 ai)?iS 1 a2>?2S2 • • • 

By Lemma 4.3, y is a non-Zeno execution of T, t-trace{y ) = /?, and for each hole 
i, 

Pi = t-trace(y,i) £ t-traces(Z(i)) 

Since Z(i) < l Z’(i), we obtain /l, 6 t-traces(Z'(i)), for all i. Therefore, Z'(i) has, 
for each i, a non-Zeno execution a, with t-trace(ai ) = /?,. Let yo be the sequence 
obtained from y by removing all clearing steps. Then yo is a non-Zeno execution 
of T and t-trace(yo) — P- As in the untimed case, our job is to “paste” together 
yo and the a t to obtain an execution of T({'). We construct an automaton A that 
describes several allowable ways to do this pasting and that generates executions 
of T({') with the required properties. The set of states of A consists of all 
valuations of the following state variables in their domains: 

• a variable frag ranging over the set of execution fragments of T. This variable 
denotes the part of yo that still has to be dealt with. The initial value of frag 
is yo- 

• for each hole i, a variable /rag, ranging over execution fragments of Z'(i). 
This variable denotes the part of a,’s that still has to be pasted together with 
(the remainder of) yo- The initial value of /rag,- is a ; . 

• a variable exec ranging over finite executions of T ({'). The limit of the values 
of exec will be the execution of T({') in which we are interested. The initial 
value of exec is the trivial execution consisting of the state composed from 
the first states of yo and the first states of the a,-. 

• a variable delay ranging over R-°. 

• a vector w, tt,(i e holes(T)) of variables ranging over transducer trajectories 
ofT. 

• for each hole i, a variable w; ranging over trajectories of Z'(i). 

Automaton A has actions CLEARING, TIME and BASIC, which correspond 
to the three different types of actions of T({'): clearing steps, time-passage 
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BASIC 

Precondition 

A frag begins with s' s 
A a i R+ 

A for all holes i that participate in the first step of frag: 
fragi begins with an r](i) step 

Effect 

remove the first step from frag ; 

for each hole i that participates in the first step of frag do 
remove the first step from /rag, ; 
append to exec an a followed by the state of T(f') composed 
from the first states of frag and all the /rag; 

CLEARING 

Precondition 

A frag contains at least one step 
A hole io participates in the first step of frag 
A fragi 0 begins with a t step 

Effect 

remove the first step from /rag, 0 ; 

append to exec a x followed by the state of T(f') composed 
from the first states of frag and all the /rag, 

TIME 

Precondition 

A frag begins with s' s 

dj 

A for all holes i that are active is s':/rag, begins with si —> s,- 

Effect 

w, ttj(i e holes(T)) := any transducer trajectory for s' s; 
for each hole i that is active in s' do 
„ , d t 

v>i := any trajectory for si -» s;; 
delay := min({d} U {tt~ l (di) ( i is active in s' and d, < t/(i)}); 
if delay = d then remove first step from frag 

else replace first step s' -L> s of frag by s" -L* s, 

where s" = w(delay), d’ = d — delay and rj’ = if — A i.tt((delay); 
for each hole i that is active in s' do 

if ttt(delay) = di then remove first step from/rag; 

dt d't 

else replace first step si —* S; of /rag, by si' —> S;, 
where si' = Wj(ttj(delay)) and di = dj — ttj(delay); 
append to exec the real-value of delay followed by the state of T(£') composed 
from the first states of frag and all the /rag, 


Fig. 3. Algorithm for pasting together yo and the ot,-. 


steps, and the remaining “basic” steps. The transitions of A are defined using 
precondition/effect style in Fig. 3. The intuition is that, while building an execution 
of T(C), automaton A peels off initial steps of yo and the a,-. If the remainder of yo 
starts with a non-time-passage step a, and, for each hole i that participates in this 
step, the remainder of a; starts with the action required for hole i, then a BASIC 
step is taken by A. If, for some hole i, the remainder of a,- starts with a r step then 
A can do a corresponding CLEARING action, provided that i participates in the 
next step of yo. The most complicated part of the definition of A is the description 
of the TIME step. Here the intuition is that if the remainder of yo starts with a 
time passage step and, for each hole i that participates in this step, the remainder 
of ocj also starts with a time passage step, automaton A nondeterministically 
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chooses trajectories corresponding to all these steps, and then determines the 
maximal progress it can make along these trajectories without passing beyond the 
limit time of any of them. More specifically, suppose that the remainder of yo 

begins with a step s' -j+ s with transducer trajectory w, tt,(i e holes(T)). Suppose 
further that for all holes i that are active is s', the remainder of a, begins with 

s- —> Sj. Then the maximal global increase in time is d. For each active hole 
i the maximal local increase of time is the minimum of d, and In order 
to translate this to a global increase in time, observe that the inverse mapping 
of ft; is defined, since this function is both continuous and strictly monotonic. 
Therefore the requirement that the local increase in time for hole i is at most 
min(d,-,f/(i)) is equivalent to the requirement that the global increase in time is at 
most min(tt~ l 2 (di),d). 

We leave it to the reader to check that the definition of A is type correct, in 
the sense that each variable is only assigned values in its domain. Note that in 
the effect part of the TIME action the argument of the min operator is always 
a nonempty, finite set of positive real numbers: by Lemma 4.1, the number of 
holes that participate in a time passage step of T is finite. 

Pick an arbitrary maximal execution S = U()b\uf 2 u 2 ■ ■ • of A. Since the three 
actions of A only append values to variable exec, we can define a' as the limit of 
the values of exec along <5. By construction, a! is an execution of T(£'). We claim 
that a.' is non-Zeno and t-trace(x') = fl. 

In order to see this, we first establish that A satisfies the following invariant 
properties. Here we write u.v for the value of state variable v of A in state u. 

1. For all reachable states u, t-trace(u.exec ) ; t-trace(u.frag) = /l. 

2. For all reachable states u and holes i, t-tmce(ufrag t ) = t-trace(u.frag,i). 

Proof: By simple inductive arguments. □ 

Using Invariants 1 and 2, we next prove three claims. 

Claim 1. Suppose that u is a reachable state of A and ufrag is not a single state 
execution fragment. Then u has an outgoing step. 

Proof: Let s' -f-> s be the first step of ufrag. If, for some hole i that participates 
in this first step, ufrag t begins with a T-step, then a CLEARING action is enabled 
in u. So suppose that for all holes i that participate in the first step ufrag t does 
not begin with a T-step. We consider two cases. 

1. Suppose a R + . It follows by Invariant 2 that, for each hole i that participates 
in the first step of ufrag, frag , starts with an i](i) step. But this means that a 
BASIC action is enabled, 

2. Suppose a E R + . If hole i participates in the first step, then it follows by 
axiom T2 that rj(i) E R + . Since u.frag i does not begin with a T-step, Invariant 
2 implies that it begins with a time passage step. Because this is the case for 
each hole i that participates in the first step, a time passage action is enabled 
in state u. 

□ 

Claim 2. Execution 5 has no infinite suffix that consists of CLEARING steps 
only. 
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Proof: Analogous to the corresponding proof in the untimed case. □ 

Claim 3. If <5 contains an infinite suffix that consists of CLEARING and TIME 
steps only, then hime(ot') = go. 

Proof: The proof is by contradiction. Suppose <5 has an infinite suffix with 
CLEARING and TIME steps only, but Itime(y') is finite. 

Suppose u' ri —> L u is a step of A, d is the label of the first step of v! frag and, 
for each i that participates in the first step of u’.frag, d t is the label of the first 

step of t/./ragj. Then we say that u’ —> u is full if u.delay = d, and i-full for hole 
i if u.tti(u.delay ) = d,. By definition, each TIME step is either full or i-full for at 
least one hole i. 

If 8 contains infinitely many full TIME steps then Itime(a') = oo, because yo 
is non-Zeno. So we may assume that 8 contains only finitely many full TIME 
steps. This means that 8 has an infinite suffix 8' that consists of CLEARING and 
non-full TIME steps only. By Claim 2, 8' contains infinitely many non-full TIME 
steps. If in A there is a non-full TIME step from u' to u, s' is the first state of 
u'frag and s is the first state of ufrag, then active(T, .s') = active(T,s) by axiom 
T3. Also, if in A there is a CLEARING step from u' to u, then the first state 
of u'frag equals the first state of ufrag. Therefore, there is a fixed collection of 
holes that participate in the non-full TIME steps of S'. By Lemma 4.1 we know, 
moreover, that this collection is finite. So, the execution fragment 8' contains 
infinitely many i-full TIME steps for some hole i. This means that a, is infinite; 
then since it is non-Zeno a,- is admissible. 

For ul u a step of A, u.tti(u.delay) gives the amount of time that has 
passed for hole i during that step. Because a,- is admissible, the sum of the 
time-passage actions for hole i along 8 increases without bound: 

lim ^2 Uj.tti(Uj. delay) — oo 

~ >0 ° {j\\<,j<Lk, bj=TIME } 

But this contradicts the fact that 8' contains no full TIME steps: if is the first 
state of S’ and uifrag begins with a step s' —s, then for all k > l: 

y Uj.tti(uj.delay) < r](i) 

{j\l<j<,k, b)=TIME} 

□ 

We return to the proof that a! is non-Zeno and t-trace(a!) = [i. Again we consider 
cases. 

1. Suppose 8 is finite, with final state u„. Then, by Claim 1, u n .frag consists of 
a single state execution fragment. In combination with Invariant 1, this gives 
t-trace(u„.exec) = [i. But a! is defined as the limit of u„.exec, so a! = u„.exec. 
Hence a' is finite (and hence non-Zeno) and t-trace( a') = ft. 

2. Suppose 8 is infinite and contains infinitely many BASIC actions. Since frag 
is initially yo, and each BASIC step removes a step from y 0 , it follows that 
yo is infinite. But since yo is non-Zeno, it is in fact admissible. Because there 
are infinitely many BASIC steps in 8, it follows by construction of A that the 
limit as j —» oo of ltime(iij.exec ) is oo, and that hence a' is admissible (and 
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hence non-Zeno). By Invariant 1, t-trace(uj .exec) is a prefix of p for each j. 
Since the limit d of the executions uj is admissible, t-trace(d) = p. 

3. Suppose 8 is infinite and contains only finitely many BASIC actions. Then 5 
has an infinite suffix with CLEARING and TIME actions only. Combination 
of this fact with Claim 3 gives that d is admissible (and hence non-Zeno). 
Now we use the same argument as in the previous case. By Invariant 1, 
t-trace(uj.exec) is a prefix of p for each j. Since the limit d of the executions 
Uj is admissible, t-trace(d) = p. 

The fact that d is non-Zeno and t-trace(d) = p implies p e t-traces(T([')), as 
required. □ 


5. A Timed Process Algebra 

In this section, we give examples of operations that can be expressed as timed 
action transducers. Together, these operations form a language that we will call 
SP t . Paraphrasing Alur and Henzinger [A1H94], we can summarise the main idea 
behind I£ t as: 

real-time process algebra = untimed process algebra + timers 

After the definition of the operators of If, in Section 5.1, we will discuss the 
expressivity of the language in Section 5.2. 


5.1. Operators 

5.1.1. The Patient Construction 

An important collection of timed action transducers can be obtained from un¬ 
timed action transducers. In this subsection we present a simple but important 
construction, inspired by Nicollin and Sifakis [NiS92], that transforms an untimed 
action transducer into a timed one, by simply inserting arbitrary time-passage 
steps. Suppose T is an (untimed) action transducer with R + n acts(T) = 0 and 
R + Pi acts(T,c) = 0, for all c. Then patient(T) is the timed action transducer T' 
that has exactly the same components as T, except: 

• acts{T') = acts(T) U R + 

• for all c, acts{T',c) = acts(T,c) U R + 

• steps(T') = steps(T) U 

{s —s | s G states(T), d G R + , tj = Xi. if i G active(T,s) then d else 0} 

It is straightforward to check that patient(T) is indeed a timed action transducer. 
However, patient(T) need not be Zeno-respecting. For example, consider an action 
transducer T that activates and deactivates the same hole i infinitely many times 
in one execution. The action transducer patient(T) can intersperse the activations 
of i time-passage steps, in such a way that all the time-passage occurs when i is 
inactive. This problematic behaviour is not possible with the action transducers 
of Section 3, since these activate and deactivate each hole at most once during 
an execution. In general, patient(T) need also not be r-respecting even if T is 
r-respecting. For instance, the variant of the external choice operation □ with an 
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infinite index set is i-respecting, but its patient timed version is not. The problem 
with infinitary external choice is that in the initial state infinitely many holes 
are active. Since in a timed action transducer all active holes participate in time- 
passage steps, this means that the patient version of the action transducer does 
not satisfy the third condition in the definition of i-respecting, which requires 
that in each step only finitely many holes participate. The following simple 
lemma characterises the situations in which the patient operation preserves the 
property of being r-respecting, and returns a timed action transducer that is 
Zeno-respecting. 

Lemma 5.1. Suppose T is an action transducer. Then 

1. patient(T) is Zeno-respecting iff T can activate and deactivate each hole at 
most finitely many times in each execution. 

2. patient (T) is r-respecting iff T is r-respecting and in each state of T only 
finitely many holes are active. 

The characterisation in the first part of Lemma 5.1 looks a little less than 
satisfying because it is expressed in terms of executions rather than the basic 
action transducer definition. However, this seems unavoidable. 

All the patient timed versions of the operators in the language '£ u are Zeno- 
and i-respecting, by Lemma 5.1. Thus, by Theorem 4.4, the timed trace preorders 
<i and < c are substitutive for the patient variants of all these operations. The 
timed action transducers obtained by the patient construction turn out to be quite 
useful, so in the subsequent sections we will adopt the convention that T means 
padent(T) for any of the action transducers of i?„. 

5.1.2. Clocks 

Timed action transducers that are obtained via the patient construction do not 
impose time constraints on their arguments. One way to impose such constraints 
is by using explicit clock variables, as advocated in [A1D94, A1H94]. In this 
subsection, we show how clock variables can be expressed using timed action 
transducers. The unary timed action transducer CLOCK x models the effect of 
adding a clock variable x to a system. 

We consider a set X of clock variables, ranged over by x, y,.... The set of clock 
constraints (j> is defined inductively by (here t ranges over R-°): 

4> ::= x<t | x=t | tf)A(j)' | -i cj> 

Note that constraints such as true, 5<4, x>0, and xe[2,5) can be defined as 
abbreviations. A time assignment £ assigns a nonnegative real value £(x) to each 
clock variable x. A time assignment £ satisfies a clock constraint tj), denoted by 
£ \= (f>, iff tj) evaluates to true using the values given by L We say that tj) is a 
tautology iff for all time assignments f, £ f = (j>. We say that tj) is satisfiable iff there 
exists a time assignment t such that £ |= 0. We denote by 4>\t/x\ the formula 
obtained from 4> by replacing all occurrences of x by t. 

The state set of action transducer CLOCK* is R-°, with 0 as the initial state. 
There is a single hole called 1. Time proceeds at the same rate for the action 
transducer and its argument. The argument automaton can reset the value of the 
clock variable x at any moment by performing an action containing the label 
reset (x). In addition, the argument automaton can use clock constraints as labels 
to test the value of the clock variable. In order to define the step relation formally 
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it is convenient to define some auxiliary functions. Let x be a clock variable, 
t € R-° and a a set of labels. Then a[t/x] is the label set obtained from a by 
replacing each clock constraint (f> in a by (j>[t/x]. We say a[t/x ] is satisfiable if all 
time constraints contained in it are satisfiable. We also define 

'f'ix, t, a) = if reset (x) e a then 0 else t 
Now the steps of CLOCK* can be defined by: 

t «is? t + ^ if d > 0 

t r{x, t,a) if a R + and b = a[t/x\ satisfiable 

As an example, let the actions a, b, c be given by a = [sw-off, xe(9,10]}, 
b = {sw-off, 9.56(9,10]} and c = {sw-off, le(9,10]} Then CLOCK* has a step 

9 3 -Jl> 9 5 
but not a step 


1 PP? 


1 


because in the second case the clock constraint xe(9,10] is violated. CLOCK* is 
trivially Zeno- and r-respecting. Thus relations <‘ and <' are substitutive for this 
action transducer. 

Our definition of clocks directly follows the one proposed in [A1D94, A1H94]. 
In fact, it is possible to encode each (finite state) clock-constrained system in 
the sense of [A1H94] within our language: by Theorem 3.1 we can encode the 
underlying finite automaton (with the clock constraints viewed as part of the 
transition labels), and if we then apply a CLOCK operator for each of the clock 
variables that is used, the resulting expression will generate the same timed traces 
as the clock constrained system that it encodes. We suppose that, for some 
applications, it will be useful to have a more general notion of clock. One can, 
for instance, extend the set of clock constraints with formulas like x + y<l, or 
allow for assignments of the form x:=y + 4, or introduce labels that ask the 
clock to emit its current time. The important point here is that explicit clocks 
constitute an important and useful construct in real-time process algebra. Our 
specific choice of clock operations is just an example, subject to modification. 


5.1.3. Bounds 

None of the timed action transducers introduced so far constrain the passage of 
time; in particular, all action transducers we have defined are willing to advance 
time by any amount d. However, in order to express that a certain event is 
guaranteed to occur before or at a given time, for instance in the specification of 
a timeout, we need an operator which (under certain conditions) can block time. 
In this subsection we give an example of such an operator. 

For any clock variable x, the unary timed action transducer BOUND* ensures 
that the value of x does not advance beyond a given upper bound in R-° U {oo}, 
initially b. The state set of this action transducer is R s0 x (R-° U {co}), with (0 ,b) 
as the initial state. The first state component gives the current value of x, and 
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the second component gives a bound on the value of x. 7 There is a single hole 
called 1. The value of x can be reset at any moment by an action with label 
reset (x); similarly the bound can be modified via an action with label x:<u, for 
u e R-° U {oo}. For x a clock variable, u e R-° U { 00 } and a a finite set of labels, 

t%(x,u,a) = if { u' | x:<u' e a] = 0 then u else min{i/ | x:<u' G a} 

Now the steps of BOUND x can be defined by: 

(t, u) 7 ^ (f + d, u) if 0 < d <u — t 

(t,u) (i / '(x,t,a),3fi(x,u,a)) ifn^R + 

Thus there is, for instance, a step 

(1,10) ^(9.5,10) 
but not a step 

(1,10) 9 4 (10.5,10) 

because that would violate the time bound. Clearly, BOUND x is Zeno- and 
r-respecting. Thus relations <* and <' are substitutive for this action transducer. 

In the literature many other proposals can be found on how to constrain the 
passage of time: [A1D94] uses a Biichi style acceptance criterion for this purpose, 
[HNS92] advocates the use of program invariants, [A1H94] proposes the related 
notion of delay predicates, [MaP93] uses so-called important events, and [BPV94] 
uses stability with respect to linear inequalities. It is not clear to us how these 
approaches can be transferred to a process algebraic setting, where automata 
are built up step by step and not given a priori. Our approach to use BOUND 
operators can be viewed as a special case of the invariant approach of [HNS92], 
with a fixed invariant stating that the values of the clock variables never exceed 
the values of the corresponding bound variables. 

5.1.4. Timers 

In applications, we will mostly want to use the clock and bound action trans¬ 
ducers in combination. Furthermore, we typically want to hide the assignment 
labels outside the scope of these action transducers, where they are no longer 
needed. Finally, it is convenient to do a “garbage collection” and remove vacuous 
constraints like 4<7 that are generated by clock action transducers. For these 
reasons, we define the following derived operation TIMER", for any clock variable 
x and initial bound u G R 2 ° U { 00 }: 

TIMER"(A) = (CLOCK x (BOUND“(A)))\(TUL x ) 
where T is the set of all tautologies and L x is the set of all assignments to x. 

Example. We define a timed version of the automatic switch-off mechanism we 


7 For simplicity, we do not consider strict bounds. Such bounds can be imposed by parameterising 
the action transducer with an additional boolean that tells whether the time bound is strict or 
not. Alternatively, one can follow a suggestion of Abadi and Lamport [AbL92], and introduce, as 
additional elements of the time domain, the set of all ‘infinitesimally shifted’ real numbers r~, where 
t < r~ iff £ < r, for any reals t and r. 
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described in Section 3. The system allows a lamp to be switched on at any time; 
then between 9 and 10 time units after the last time the lamp has been switched 
on, it will be switched off. 

SWITCH' = Tl MER“(({sw _on, reset (x),x:< 10} ; 

({sw-On,reset(x)} * {sw-off,x€[9, 10],x:<oo})) w ) 


Example. To illustrate the use of multiple, nested clocks we specify the process of 
having breakfast. Breakfast should be both started and finished after 6 am and 
before 9 am. The whole breakfast should take at least 15 minutes, and, since fresh 
bread is only available at 7.50 am, the end of the breakfast should be situated 
after 8 am. 

BREAKFAST = TIMER^(TIMER“({start,x>6,x:<9,reset(y)} ; 

{finish, x>8 A y>^,x:<oo} ;STOP)) 


5.1.5. Changing Speed 

Thus far, in all timed action transducers that we have considered, time advances 
with the same rate for the action transducer and all the (active) holes. However, 
the framework of timed action transducers allows us to define, quite easily, 
operators that change the speed of processes. 

For all l,u e R + with / < r, we define a unary timed action transducer 
RATE[(_„]. The action transducer has a single state s, which is also the initial state. 
Both the action transducer and its argument have the same set of actions, and in 
fact the action transducer allows the argument to perform any non time-passage 
action a at any time. However, the rate at which the local time changes relative 
to the global time lies in the interval [l,u]. 

s^s if R+ 

S {(&)} S if 7 e[/ ’“ ] 

It is routine to verify that RATE[/„] is a timed action transducer. RATE action 
transducers can be used both to speed up clocks and to make them drift. For 
r > 1, RATE[ r/ ] speeds its argument up by a factor r. For A< 1, RATE[i_a !1+ a] 
introduces a tolerance of A on all timing of its argument. We think that RATE 
action transducers can be useful in the process algebraic description of protocols 
that involve drifting clocks, such as the audio control protocol analyzed in 
[BPV94], 

An interesting property of the RATE action transducers is that in general they 
do not preserve Wang’s [Yi90] axiom of time determinism. This axiom, which is 
valid for all timed process algebras that we have encountered in the literature, 
states that the resulting state after a time step is uniquely determined by the 
amount of time that has passed: 

! . A , n 


d 


S = S 
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5.2. Expressivity of T£ t 

We define T£ t as the language consisting of (1) the timed action transducers 
obtained by applying the patient operation to the untimed operations of the 
language i?„, (2) the CLOCK, BOUND, TIMER and RATE operators. 

The operations from f£ t are sufficiently expressive to define — as derived 
operators — all the constructs that we have encountered in the literature on 
timed process algebras, except those that involve binding mechanisms (like the 
integration construct of [BaB91]) and those that are not compatible with timed 
trace inclusion (like the + from CCS). In this section, we give some of these 
derived operators. Also, we show how one can encode within T£ t the finite state 
fragment of the timed-bounded automata model of [MMT91]. 

5.2.1. Wait Constructs 

Using a single timer, we can program the process WAIT d of Timed CSP [ReR88, 
DaS89], which waits time d and then terminates successfully. 

WAIT d = TIMERf(x=d) 

More generally, we can specify a process that terminates successfully after waiting 
some nondeterministically chosen time from the closed interval [/,«]. 

WAIT [l,u] = TIMER“(x>/) 

5.2.2. Urgency 

Using a timer, we can force any action a to be performed immediately: we define 
the urgent action a by 

a = TIMER°.(a) 

where x is a clock variable to which a does not refer. With urgent actions it 
becomes trivial to define the urgent prefixing operators of TCCS [MoT90] and 
ATP [NiS94]: a.A = a;A. Urgent actions are also useful for defining the timeout 
construct of Timed CSP. For a given delay d this operator is defined, as in 
[DaS89], by 

A |> B = (AD (WAIT d ; abort ; B))\{abort} 

where abort is a fresh label, not in the label set of A and B. If, at time d, A has 
not performed any visible action, an interrupt occurs and automaton B is started. 
Note the use of the auxiliary label abort to force the choice between A and B at 
time d. 

Example. We consider a simple resource-granting system described in [LyA92], 
The system consists of two components, a watch and a manager. The watch ticks 
at an approximately-predictable rate, and the manager counts ticks in order to 
decide when to grant a resource. The watch is modeled as an automaton WATCH 
that does tick actions, such that the times between successive tick actions, and 
the time of the first tick action are in the interval [ci, c 2 ]: 


WATCH 


(WAIT [ci, C2] ; tick) m 



532 


N. A. Lynch and F. W. Vaandrager 


Automaton MANAGER models the manager: it waits a particular number k > 0 
of tick actions before it does a grant action, counting from the beginning or from 
the last preceding grant. We assume that a grant action occurs within I time units 
after it has been enabled, for some / < c\. 

MANAGER = (MANAGER^ 

MANAGERi = tick ; MANAGER,^ for 0 < i < k 
MANAGERo = WAIT [0, /] ; grant 

The full system can now be described as the parallel composition of automata 
WATCH and MANAGER, with the tick action hidden: 

SYSTEM = (WATCH \\MANAGER)\{tick} 

Essentially, the result about the resource-granting system proved in [LyA92] is 
that 


SYSTEM <‘ (WAIT [k ■ - /, k ■ c 2 + /] ; grant f 

Example. Another example, taken from [BaB91], is a watch that is perfect, except 
for some fluctuations of the ticks: 

WATCH' = WAIT 0.5; 

((WAIT [0.5 - e, 0.5 + e] ; tick ; STOP) a WAIT 1)" 

5.2.3. Execution Delay 

The execution delay operator of ATP [NSY93, NiS94] is given by: 

\A] d (B) = (TIMER*((A A (abort ; B)) || C))\{abort, cancel} 

where 

C = (cancel □ {abort,x=d}) ;x:<,co ; STOP 

\A] d (B) behaves as A until time d ; at time d, A is interrupted and B is started. 
However, if A performs an action with the label cancel, then the interrupt is 
cancelled and A can continue to run forever. The process C takes care that once 
A has done a cancel, it can no longer be interrupted by B. Also C removes 
deadline d after a cancel or abort action. We assume that A and B do not have 
abort in their label set, nor any label referring to timer x. The labels cancel 
and abort are hidden so that they cannot synchronise with any action of the 
environment. A minor difference between our execution delay operator and the 
one from ATP is that ours allows machine A to perform visible actions at time d. 

5.2.4. MMT-automata 

It is possible to encode within W t each finite state timed-bounded automaton in the 
sense of [MMT91]. We will refer to time-bounded automata as MMT-automata, 
derived from the names of the authors of [MMT91]. The MMT-automata model 
is an extension with real-time of the I/O automata model of [LyT87]. It has been 
used extensively in [LyA92, SAL93] for verification purposes. 
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An MMT-automaton B consists of 8 : 

• an (untimed) automaton A, 

• a partitioning of acts(A) into three sets of input, output and internal actions, 
respectively; it is required that input actions are enabled in each state, i.e., 
for each state s' and for each input action a there exists a state s such that 

. d 

S -+A S, 

• a partition {Ci,...,C„} of the locally controlled (output and internal) actions 
into equivalence classes, 

• for each class Q, a lower time bound h;(C,) G R-° and an upper time bound 
b u (Ci) € R + U {oo}, such that h/(C;) < h u (C,). 

Intuitively, in a real-time execution of B we just take steps from A, but the times 
at which these steps may occur are constrained by the bound maps h; and b u . 
Suppose that during execution a class C, becomes enabled at time t. Then h; and 
b u specify that if C, stays enabled, an action from C t must be executed in the time 
interval [t + bi(Ci),t + b u (Ci)]. If C, becomes disabled, then the timing constraints 
on C, are removed. 

Without loss of generality, we may assume that A has only a single start 
state: if there are n > 1 start states then the encoding of A can be defined as the 
disjoint union of the encodings of n copies of A in which the set of start states 
is restricted to a singleton. In our encoding of A, we assume for each class C, a 
corresponding clock variable x;. 

As an intermediate step, we define an auxiliary automaton A + , which is 
identical to A except that the labels of the transitions have been enriched with 
extra information: the set of labels of A + consists of the input and output actions 
of A, together with the set of clock constraints and assignments that refer to 
xi,...,x n . For each step s' -» s of A, automaton A + contains a corresponding step 

, MJ{0}US 

s —> s 

where b is empty if a is an internal action and equal to { a } otherwise, $ is a clock 
constraint that is equal to true if a is an input action and equal to Xj > bi(Cj) 
if a is a locally controlled action that belongs to class Cj, and S is a label set 
consisting of: 

• a label reset (xj) if a is a locally controlled action in Cj, 

• labels reset (Xj) and Xj\<b u (Cj) for those classes Cj that are not enabled in s' 
but are enabled in s, 

• a label Xj\<oo for those classes Cj that are enabled in s' but not in s. 

Under the assumption that A (and hence A + ) is finite there exists, by Theo¬ 
rem 3.1, an if M -expression expr(A + ) denoting A + up to tree equivalence. Using 
this auxiliary expression, we define the if,,-expression expr(B) by 

expr(B) = TIMER”}(• ’' TIMER“"((expr(A + ))) ■ ■ -) 
where u, equals b u (Ci) if C, is enabled in the start state, and oo otherwise. Without 


8 Here we follow the definition from [LyA92], which is slightly more restrictive than the original 
definition of [MMT91] because it does not allow for strict bounds. This restriction is not crucial, but 
only convenient. 
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proof, we claim that expr(B) generates exactly the same timed behaviours as the 
MMT-automaton B according to the definition of [MMT91], 


5.3. Counterexamples 


Although the converse of Theorem 4.4 does not hold, our result appears to be 
quite sharp: for many examples of timed action transducers that are not Zeno- 
and r-respecting, the timed trace preorders are indeed not substitutive. 

The timed trace preorders <1 and < l are for instance not substitutive for the 
operation of infinitary external choice. It is easy to see that WAIT 2 ={ WAIT 1 ; 
WAIT 1: both processes wait time 2 and then terminate successfully. However, for 
infinite I, 

□ i6 / (WAIT 2) £ Die/ (WAIT 1 ; WAIT 1) 

because, unlike the first process, the second process will never manage to do a 
successful termination action at time 2 since it has to do an infinite number of x 
actions at time 1. 

Another example is the choice operator + that plays a dominant role in many 
real-time process calculi (TCCS [MoT90], the timed extension of CCS proposed 
in [Yi90], ATP [NiS94], and ACPp [BaB91]). This operator is just the patient 
version of the choice operator from CCS, which has three states s,si,S 2 , with s 
start state, and steps (for i <s {1,2}, and all actions a and b of the first and second 
argument, respectively): 


{<«)} 


a 

{(Ml 


Relation <( is not substitutive for the patient version of + because, for instance, 

WAIT 2 + WAIT 1.5 £ (WAIT 1 ; WAIT 1) + WAIT 1.5 

The first process terminates at time 1.5, whereas the second process terminates at 
time 2. 

The loss of substitutivity may be viewed as a problem for a process algebra 
with CCS choice based on trace equivalence (it is not a problem if certain other 
equivalence are used, such as observational congruence [MoT92]). Via Lemma 5.1 
we have identified a general class of operations for which trace equivalence is 
a congruence and with patient versions for which timed trace equivalence is 
a congruence. Even though we advocate in this paper the use of timed trace 
equivalence, we think it will be quite interesting to extend Van Glabbeek’s [Gla93] 
lattice of process equivalences with a real-time dimension, and to study the impact 
of the patient construction on congruence properties for other equivalences as 
well. 


5.4. Remarks 

Some untimed operators display undesired behaviour when transformed into 
timed operators via the patient construction. We give an example. In a timed 
process algebra, one typically wants to have the identity 

WAIT 1 ; WAIT 1 = WAIT 2 
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In order for this equation to be valid it is essential that in the action transducer 
for the untimed sequential composition operator the second argument is 
not active in the initial state. In [GrV92], a sequential composition operator is 
described for which this is not the case: 

Sl {(^} Sl if ^ a 
Sl {(i,vM2,h)} S2 

S2 {iti} S2 

For the patient version of this operator we obtain the undesired identity 
WAIT 1 ; WAIT I = WAIT 1 

A very interesting issue that we can only touch upon in this paper, is the 
impact of patient construction on the validity of algebraic laws. All the laws that 
we have checked and that are valid for !£ u up to trace equivalence, remain valid 
for JSf r up to timed trace equivalence. However, in general it is not the case that 
the patient construction preserves validity of algebraic laws. For instance, the law 

A * B = A ; (A * B) □ B 

holds (in a semantics based on =*) for the variant of the iteration operator in 
which only a single copy is made of the second argument, but does not hold after 
patient has been applied (in a semantics based on =*). 

6. Discussion 

The main result of this paper is the characterisation in terms of action transducers 
of a very general class of operations that preserve inclusion of timed traces. For 
the untimed case, several substitutivity results for classes of operations have been 
reported in the literature (see, for instance, [Sim85, BIM88, GrV92]). We believe 
our result to be the first one of this kind for the timed case. The combined 
complexity of multiple start states, infinitely many arguments, copying, activation 
and deactivation of arguments, internal actions, and different rates makes the 
proof of our result rather involved. It looks like that we have now reached a 
point at which any obvious generalisation of the class of operations violates the 
substitutivity property. 

We think that many other equivalences and preorders for timed systems that 
have been proposed in the literature, such as the timed bisimulation equivalence 
of [Klu93], are also preserved by our class of action transducers. We expect that 
the situation in the timed case will be largely analogous to the one in the untimed 
linear time - branching time spectrum of [Gla93] where, roughly speaking, we see 
that the finer the behavioural equivalence, the larger the class of operations for 
which it is substitutive. However, results in this area still need to be worked out. 

An obvious question left open in this paper is to find a sound and complete 
axiomatisation of timed trace inclusion for the language J£, or a fragment of 
it. Results of [A1D94] can be adapted to show that, even if we exclude the 
RATE operator and only allow for rational numbers in clock constraints and 
bounds, deciding timed trace inclusion for is Hi hard. Hence there does 
not exist a finite equational axiomatisation of timed trace inclusion for the full 
language £C t . However, it may be possible to find interesting partial results: 
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axioms that allow the elimination of certain operators in favor of others, or 
complete axiomatisations of subcalculi. For this it might be necessary to add to 
the language auxiliary operators such as the integration construct of timed ACP 
[BaB91], 

Before it can become practically useful, the language S? t will have to be 
extended with a more powerful mechanism for recursion, and with the possibility 
to parameterise processes and actions with data. Such extensions are standard, 
however, and one could simply follow the approaches taken in process algebras 
such as Extended LOTOS [Bri88] or /rCRL [GrP93], 

We do not believe that one single approach, assertional or process algebraic, 
can solve all problems regarding the specification and verification of timed sys¬ 
tems. A solution has to be sought rather in a smooth combination of various 
formalisms. Use of process algebraic notation often allows one to give compact, 
intuitive specifications of timed systems. Thus far, however, process algebraic 
techniques cannot claim much success when it comes to verification of timed sys¬ 
tems. Here assertional methods appear to perform much better (see, for instance, 
[SAL93, HeL94, BPV94]). Because the notion of explicit timers fits rather well 
with assertional proof techniques for real-time (see [AbL92, BPV94]), we hope 
that it will be not too difficult to use these techniques, and in particular the 
simulation proof methods of [LyV92, LyV93], in the setting of our language f£ t . 
Together with a limited repertoire of algebraic laws, this may then form the basis 
of a methodology in which the benefits of algebraic and assertional methods can 
be combined. 
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